by LAWPRO

As cyberattacks become increasingly sophisticated and prevalent, law firms are emerging as targets due to the highly sensitive nature of their data and pools of money. Law firms can hold a wealth of confidential data, including client identities, case details, and proprietary legal strategies, making them prime candidates for cybercriminals seeking to exploit this valuable information. Given the stakes, cybersecurity in the legal industry has never been more critical.

This article explores the growing threat to law firms by examining an actual hack of an Ontario law firm that experienced a cyberattack. We analyze the impact of the breach, the resulting consequences, and the essential lessons learned to help other firms strengthen their defenses and be prepared to address similar threats.

MBC Law Professional Corporation is a mid-size (by Ottawa standards) bilingual boutique litigation firm in Ottawa, servicing clients primarily in the construction industry, commercial business and estate litigation areas.

Unbeknownst to MBC Law, in December 2023, someone accessed the MBC Law network following a series of “brute force” attacks on the network. This “threat actor” appeared to have accessed and exfiltrated data from the MBC Law server.

The attack was a common pattern of financially motivated cybercrime in today’s business environment. During such compromises the threat actor’s primary goal is to gain access to the law firm’s network, get information, such as personally identifiable information, and then extort payment from the firm to decrypt their data and/or prevent its publication.

The below is a summary and lessoned learned of how MBC addressed a cyber attack by a terrorist organisation.

The Incident: How the Cyber Attack Happened

On January 17, 2024, MBC Law discovered malicious activities on its IT systems. This was identified through the IT contractor who noted some unauthorized access to MBC system. A few hours after detection, and as recommended by its IT contractor, MBC Law retained a cybersecurity incident response contractor (the “Cybersecurity Specialist”) to assess its network and see what was compromised by the threat actor and assess the next steps. The intent of hiring the Cybersecurity Specialist was to conduct forensic investigations, assess the severity of the breach, to seek an appropriate response to the incident, and then to improve security monitoring services.

On January 19, 2024, MBC Law was notified that a certain agent was identified on various workstations. At that time, there was no indication that any information had been accessed.

The next day, MBC Law was advised that the network was likely compromised, and the following day, MBC was advised that data had likely been accessed by the threat actor.

On January 22, 2024, MBC received a first contact email from the threat actor with confirmation of their intention to elicit payment for the information. The threat actor also provided a list of files that appeared to be from the MBC Law server.

On January 23, 2024, another email was sent to MBC Law from the threat actor with a list of files. The list of files appeared to be unrelated to files held on the MBC Law server and appeared to be from a different victim of an attack.

On January 30, 2024, the threat actor contacted some clients, other lawyers, and opposing parties. Those emails encouraged them to contact MBC Law and pressure the firm to reach out to the threat actor.

On February 7, 2024, the final email (to date) from the threat actor was received.

The Response

As an immediate response, and as recommended by the Cybersecurity Specialist, MBC Law disconnected from the internet so that there could be no further unauthorized access. The forensic investigation determined that several machines had been compromised, but they could not conclude with certainty how deep the breach was. As a further recommendation by the Cybersecurity Specialist, all machines were completely formatted, and the operating system reinstalled. Over a period of several weeks time, the MBC Law server was rebuilt.

The list of files was reviewed by MBC Law, and thankfully, client documents at MBC Law were stored in another section and server in a separate imaging software. The files accessed by the threat action did include client work product. In a review of the list by MBC Law, private information relating to employees, lawyers, partners and clients may not have been accessed by the threat actor. It appeared that the MBC Law accounting software and client management software was not accessed.

MBC Law did not engage with the threat actor.

MBC Law utilises an overnight, and off-site backup. File data was restored to the day prior to the shutdown, therefore minimizing any data loss.

MBC Law reached out to the Law Society of Ontario to report the breach and seek guidance. The LSO advised that the LSO did not assist law firms in these situations and did not have guidelines for licensees in this situation. It advised that these types of situations may not be a breach of the Rules of Professional Conduct, and that the steps MBC Law was taking seemed to be in accordance with the Rules of Professional Conduct, but that nothing in the Rules stated who the firm was to notify nor what steps to take. All of this was conveyed during a phone call, and no further recommendations or resources were provided.

LAWPRO was contacted so that MBC Law could report the breach and obtain direction on next steps. LAWPRO confirmed that there is some limited insurance coverage for claims made as a result of a data breach. It advised that there was no information or resources that it could supply MBC Law to guide it in dealing with the breach.

As required by law, MBC Law reported the data breach to the Office of the Privacy Commissioner of Ontario. MBC Law worked with the Office of the Privacy Commissioner to provide all relevant information for its investigation.

MBC Law also reported the crime to the Canadian Anti-Fraud Centre.

As a result of the attack, MBC Law imposed intense monitoring of all workstations to aid in the investigation and to aid in containing potential threat actor activities.

The following was implemented as a result of the breach:

  • Reset passwords for all domain and local administrator user accounts.
  • Implementation of additional security controls such Multi-Factor Authentication.
  • Ensure web servers, firewalls, and VPN applications are updated with the latest security patches.
  • Monitor administrator user accounts for unauthorized and unusual accesses, as well as access attempts. Review all administrator and highly privileged user and service accounts and delete any that are not required.
  • Implement continuous security monitoring within the environment that includes endpoint (servers and workstations), cloud, and network components.
  • Ensure anti-virus is installed and running on all systems and is receiving updates to enhance its detection of malicious activity and malware.
  • Develop an Incident Response Plan and impose employee training and awareness.

The Impact and financial losses:

The cyberattack on MBC Law with 12 lawyers and 12 staff had significant financial repercussions, both direct and indirect. Direct financial losses include IT recovery costs and infrastructure upgrades. Rebuilding IT systems, which involved data recovery, forensic investigations, and enhanced cybersecurity measures, can range from $50,000 to $150,000 (or more depending on the size of the business). Infrastructure upgrades (which should be done in any event), including new machines and advanced cybersecurity software, might add another $30,000 to $60,000 depending on needs and the size of the business.

The firm’s operations were severely impacted for a two-week period while MBC Law was disconnected from the internet and was having its machines formatted. It did not return to being fully functional until approximately 4 weeks after the detection of the breach. Some fairly simple math based on billable rates can illustrate the cost.

A cyberattack on a litigation law firm can severely disrupt ongoing cases and strain client relationships in several ways. The immediate disruptions in access to case files, evidence, and communication tools delays litigation. Lawyers may be unable to prepare for court dates, file documents, or respond to opposing counsel, leading to missed deadlines and postponed hearings, which can jeopardize case outcomes. For a brief period of time, lawyers at MBC Law were attending court hearing on cell phones without access to files or materials, other than what opposing counsel was able to share.

The firm’s ability to provide consistent, high-quality service was compromised. Clients experienced some delays in communication and responses.

Overall, a cyberattack can significantly disrupt legal proceedings, damage client relationships, and undermine the firm’s overall reputation and operational stability as well as being a large financial cost.

Lessons Learned

Key takeaways from a law firm that has been hacked underscore the critical importance of proactive cybersecurity measures and employee vigilance. First, investing in robust cybersecurity infrastructure is essential. This includes regular updates to firewalls, intrusion detection systems, and encryption protocols, which can significantly mitigate the risk of breaches.

Equally important is fostering a culture of cybersecurity awareness among employees. Since human error is often the weakest link in security, continuous training on recognizing phishing attempts, handling sensitive information securely, and following best practices is crucial. Employees should be encouraged to report suspicious activities immediately and adhere to strict password policies and data protection protocols. Many of these habits have little to no additional cost to law firms, and are habit based and can be easily implemented by clear policies without the technology that most already have installed.

The role of vigilance cannot be overstated. Employees who are well-informed and attentive can prevent many breaches by avoiding risky behaviors and promptly addressing potential security threats. Overall, a combination of advanced technological safeguards and an informed, vigilant workforce forms the backbone of a strong defense against cyberattacks, ensuring the integrity and confidentiality of sensitive legal data.

Understand what data a firm has in its possession is necessary. Safe data retention practices are also crucial; ensure that sensitive data is securely encrypted, regularly backed up, and retained only for as long as necessary. Implementing these safeguards can significantly reduce vulnerability and enhance overall security posture.

Conclusion

This incident highlights the pressing need for all law firms, regardless of size, location, and area of practice(s), to adopt a proactive approach to cybersecurity. By investing in advanced security measures, conducting regular risk assessments, and fostering a culture of vigilance among staff, firms can better safeguard themselves against similar threats.

The cyberattack on this law firm serves as a stark reminder of the vulnerabilities that legal institutions face. It is essential to recognize that cybersecurity should be viewed not just as a technical necessity but as a critical component of law firm management. Protecting sensitive client information and maintaining operational integrity are fundamental to preserving trust and ensuring continued success in the profession.

LAWPRO thanks MBC Law for agreeing to provide this account of their experience. It is our hope that others will heed the lessons and take measures to protect themselves and their clients from a similar attack. MBC is commended for presenting this significant event. It inspires faith that a law firm can recover but more importantly reminds all to take precautions to avoid a similar event as much as they can. There are easy, no-cost measures that everyone can implement.